Secure 2FA with TOTP and zk-SNARKs

In our pursuit of enhancing security within blockchain applications, we've integrated a Two-Factor Authentication (2FA) system using Time-based One-Time Passwords (TOTP) verified through Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge (zk-SNARKs). This approach ensures the authenticity of transactions and actions without compromising user privacy. Furthermore, all user and system data related to 2FA are securely stored in an append-only database using Conflict-Free Replicated Data Types (CRDTs) backed by IPFS DAGs, ensuring data integrity and resilience.

Overview

TOTP System

The TOTP system generates a temporary code based on a shared secret and the current time. This method is widely used for 2FA, providing an additional layer of security beyond just passwords.

  • Secret Generation: Upon account creation, a unique secret is generated for each user.

  • TOTP Generation and Verification: The TOTP is generated by the user's device and verified by our system to grant access or validate transactions.

zk-SNARKs Integration

zk-SNARKs allow the verification of possession of the TOTP without revealing the TOTP itself or the shared secret, maintaining user privacy.

  • Proof Generation: Users generate a zk-SNARK proof that they have a valid TOTP.

  • Proof Verification: Our system verifies this proof without needing to see the actual TOTP code.

CRDT Database with IPFS DAG

User account information, including 2FA details, is stored in a CRDT database. This structure supports an append-only model, ensuring data is tamper-resistant and decentralized.

  • Immutable Storage: Using IPFS DAG, the database ensures that once data is added, it cannot be altered or removed.

  • Decentralization and Resilience: Leveraging IPFS provides a distributed network, enhancing data availability and resilience against attacks or failures.

Implementation Steps

Account Setup

  1. Generate TOTP Secret: Upon account creation, generate a TOTP secret for the user.

  2. Encrypt and Store Secret: Encrypt the secret with the user's public key and store it in the CRDT database, along with the account information.

TOTP Verification with zk-SNARKs

  1. Generate TOTP: The user generates a TOTP on their device.

  2. Create zk-SNARK Proof: The user generates a zk-SNARK proof of having a valid TOTP.

  3. Submit Proof: The user submits the proof for verification.

  4. Verify Proof: Our system verifies the proof, granting access or approving transactions without ever seeing the TOTP code.

Data Storage in CRDT with IPFS DAG

  1. Store Account Information: Account and TOTP information are stored in the CRDT database.

  2. Append-Only Model: Any updates are appended, maintaining a historical record of changes.

  3. IPFS DAG Storage: The CRDT database is stored in an IPFS DAG, ensuring decentralized, immutable storage.

Security Considerations

  • Key Management: Secure management of private keys used for encrypting TOTP secrets is crucial.

  • Proof Verification: Ensure that zk-SNARK proof verification is robust and secure.

  • Data Integrity: Regular audits and checks to ensure the integrity and availability of data stored in the CRDT database on IPFS.

Conclusion

Integrating TOTP with zk-SNARKs and leveraging a CRDT database with IPFS DAG for storage offers a robust, privacy-preserving 2FA solution. This system enhances security for blockchain applications while ensuring data integrity and user privacy.

Last updated